Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome

The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities. For the last couple of years, the attacker behind Magniber has been exploiting IE vulnerabilities to deploy ransomware. And as shown in the previous blog below, it is still being distributed by exploiting the IE vulnerabilities. What’s new, however, is that Magniber’s distribution has been confirmed on browsers other than IE: Microsoft Edge and Google Chrome.

This blog post aims to explain the distribution process of Magniber in the two browsers above.

Figure 1 and Figure 2 show distribution pages opened with Edge and Chrome, respectively. Both pages prompt users to install Windows application package file (.appx) to update the corresponding browser.

Figure 1. Distribution page on Edge

Figure 2. Distribution page on Chrome

Note that the APPX file disguised as Chrome or Edge’s Windows update application internally contains a valid certificate (see Figure 3). This means that the Windows application (.appx) is sorted as a trusted application, therefore allowing its installation.

Figure 3. Valid certificate info

Figure 4 shows the result of executing the downloaded APPX file which is the creation of malicious EXE and DLL in the child paths of C:\Program Files\WindowsApps.

Figure 4. Malicious EXE and DLL created upon installing APPX file

Figure 5 shows the code of the created EXE file (wjoiyyxzllm.exe). It loads the DLL file (wjoiyyxzllm.dll) that was created together and executes a specific function (mbenooj).

Figure 5. Code of wjoiyyxzllm.exe

Figure 6 is a part of the DLL code that downloads the ransomware’s encoded payload and decodes it.

Figure 6. Part of DLL code (download and execute ransomware)

Ultimately, Magniber is executed from the memory of wjoiyyxzllm.exe, encrypting the user’s files and creating a ransom note demanding the user to send money if they wish to restore the files (Figure 7).

Figure 7. Ransom note that is created following file encryption (Magniber)

Magniber’s distributor signed the APPX file with a trusted certificate to disguise it as an innocuous app to deceive the system. Users must refrain from accessing untrusted websites and maintain security software such as V3 to the latest version.

[File Detection]
exe loader: Trojan/Win.Loader.R462129 (2022.01.03.02)
Magniber dll: Ransomware/Win.Magniber.R462664 (2022.01.06.00), Ransomware/Win.Magniber.X2130 (2022.01.06.02)

[Behavior Detection]
Ransom/MDP.Decoy.M1171

[Memory Detection]
Ransomware/Win.Magniber.XM135 (2022.01.06.02)

[IOC]
cf16310545bf91d3ded081f9220af7cc (exe)
12a12ea3b7d84d1bd0aad215d024665c (dll)
hxxp://b5305c364336bqd.bytesoh.cam
hxxp://hadhill.quest/376s53290a9n2j

Categories:Malware Information

5 1 vote
Article Rating
Subscribe
Notify of
guest

14 Comments
Inline Feedbacks
View all comments
trackback

[…] used to release malware in the form of fake Microsoft Edge and Google Chrome browser updates. The relationship of research researchers illustrated the new attack strategy of the Korean-origin ransomware and a […]

trackback

[…] researchers at ASEC have closely monitored Magniber and reported that to deploy this ransomware the operators behind it are actively exploiting the Internet Explorer […]

trackback

[…] in early 2022, security researchers from ASEC discovered that the ransomware had started attacking Google Chrome and Microsoft Edge—two of the […]

trackback

[…] in early 2022, security researchers from ASIC I discovered that the ransomware has started attacking Google Chrome and Microsoft Edge – two […]

trackback

[…] in early 2022, security researchers from ASEC discovered that the ransomware had started attacking Google Chrome and Microsoft Edge—two of […]

trackback

[…] début 2022, des chercheurs en sécurité de UNE SECONDE a découvert que le rançongiciel avait commencé à attaquer Google Chrome et Microsoft Edge, deux […]

trackback

[…] na początku 2022 r. badacze bezpieczeństwa z SEKUNDA odkrył, że oprogramowanie ransomware zaczęło atakować Google Chrome i Microsoft Edge — dwie […]

trackback

[…] in early 2022, security researchers from ASEC discovered that the ransomware had started attacking Google Chrome and Microsoft Edge—two of the […]

trackback

[…] در اوایل سال ۲۰۲۲، محققان امنیتی از ASEC متوجه شدند که باج افزار شروع به حمله به گوگل کروم و […]

trackback

[…] pada awal 2022, peneliti keamanan dari ASEC menemukan bahwa ransomware telah mulai menyerang Google Chrome dan Microsoft Edge—dua browser web […]

trackback

[…] ، في أوائل عام 2022 ، باحثون أمنيون من أسيك اكتشف أن برنامج الفدية قد بدأ في الهجوم Google Chrome و Microsoft […]

trackback

[…] début 2022, des chercheurs en sécurité de UNE SECONDE découvert que le rançongiciel avait commencé à attaquer Google Chrome et Microsoft Edge, deux […]

trackback

[…] a principios de 2022, investigadores de seguridad de UN SEGUNDO descubrió que el ransomware había comenzado a atacar a Google Chrome y Microsoft Edge, dos de los […]

trackback

[…] au tout début de 2022, des scientifiques de la sûreté et de la sécurité de UNE SECONDE découvert que le rançongiciel avait en fait commencé à attaquer Google Chrome et Microsoft […]